2 % How useful were code analysis tools?
3 The usefulness of the Fortify Static Code Analysis tool turned out to be very limited.
4 Since we had most verdicts ready before a license was provided we couldn't use
5 the tool as an initial guide trough the code. This forced us to manually check
6 the application source which took quite some time. After the tool became available we
7 didn't get any new insights regarding potential security risks, just more examples
8 of problems we already detected.
10 % How could they be improved? (niet echt een antwoord maar we hebben de tool ook niet echt gebruikt?)
11 In our opinion the tool could have proved very useful in pointing out certain security
12 flaws in the initial stage of this project since we spent a lot of time scanning the
13 application code-base. Since Fortify located relatively low-level problems we could
14 have used these to locate potential hot-spots.
15 Saving us from going trough every source file and trying to determine if they are part of the
16 applications external access points. In order to improve upon the tool we suggest a larger
17 focus on determining which parts of a application need to be secure and less on pointing
18 out actual security flaws.
20 % How did you experience the rates and amounts of false and true positives?
21 TODO: feedback per groepslid, ik heb geen idee hoe iedereen dit ervaren heeft.
23 % How might that be improved?
repositories / ssproject1617.git / blob